Germany adopts “anti-hacker” law; critics say it breeds insecurity

Germany has just tightened up its criminal code to make hacking into computer …

Germany has just passed a new law that adds more "anti-hacker" provisions to the German criminal code. Although the new rules are meant to apply narrowly to hacking, critics are already complaining that they may prevent necessary security and network research.

The new rules tighten up the existing sanctions and prohibit any unauthorized user from disabling or circumventing computer security measures to access secure data (see the law, section 202 [in German]). Manufacturing, programming, installing, or spreading software that has the primary goal of circumventing security measures is verboten, which means that some security scanning tools might become illegal. In theory, this applies only to illicit programs like trojans, but some groups worry about how the new criteria will be applied. The Chaos Computer Club in Germany said of the decision, "Forbidding this software is about as helpful as forbidding the sale and production of hammers because sometimes they also cause damage."

In addition, denial of service attacks are now explicitly illegal, even if they're done as pranks. People convicted under the new law could face ten years in prison and be held liable for monetary damages.

Chaos Computer Club spokesman Andy Mueller Maguhn said that "safety research can [now] take place only in an unacceptable legal gray area." The group is also concerned that the new legislation will make it easier for the police to obtain information by hacking—something that was outlawed by the courts a few months back.

Germany's decision to tighten up the statutes against hacking come as the EU develops its own framework for dealing with cyber-crime. The European Commission circulated a "communication" this week that seeks to start a dialogue on crafting a European-wide policy to fight cyber-crime.

That document suggests working first on international relations and cross-border police cooperation, but additional legislation might also be necessary on the national level. DDoS attacks and botnets are both explicitly mentioned in the document, and the EU is no doubt worried about more than "traditional" cyber-crime in the wake of the massive DDoS attack against Estonia in the last few weeks.